assignUser commented on issue #41678: URL: https://github.com/apache/arrow/issues/41678#issuecomment-2113701840
Supply chain attacks are of course a valid concern but we can't avoid changes to the KEYS file, Arrow is a large project and individuals sign our releases, sometimes someone new takes on the responsibility (or new sub-projects are added) so changes are needed. For apache/arrow releases there was one addition made in the last 2+ years and we added the key 6+ months before first using it to allow for the change to propagate. So it can't really be said that the file changes frequently. (there were a small number (2-3?) sub project additions unrelated to release singing for apache/arrow). I think something that could make sense in the future is to announce changes to the KEYS file on the user mailing list with a hash of the new file, signed with an existing key from the file. This would provide a second channel to confirm the validity of any changes to the file. What do you think @kou? In addition there was a change to the ASF release policy that now allows automatic release signing with a key not bound to an individual. This would further lower the frequency of changes to KEYS likely towards 0. But our releases process is quite involved and there are strict requirements for automatic signing to be implemented so this is not a change we can promise for the near future. When we implement automatic release signing it might also be possible to additionally make use of https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/ to add another source of trust but I haven't looked into the requirements or uses cases for this so far. If you have ideas (other than never changing KEYS :wink:) on how to improve this for downstream projects/users, contributions are of course always appreciated. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: github-unsubscr...@arrow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
